|4||CWCS Managed Hosting||Linux||0:00:00||0.000||0.314||0.079||0.156||0.156|
|5||Hyve Managed Hosting||Linux||0:00:00||0.000||0.146||0.079||0.158||0.158|
Aruba had the most reliable hosting company site in February 2022, continuing to top the table for the third consecutive month. Aruba provides hosting, cloud and digital signature services, fibre optic internet, digital preservation, and much more, with data centres across Europe in the UK, Germany, Czechia, Poland, Italy and France. The top nine hosting company sites each responded to all of Netcraft’s requests and were separated by average connection time.
Rackspace came in second place, keeping its second place podium spot for the third consecutive month and appearing in the top two for the fifth consecutive month. The company offers a variety of cloud hosting solutions from 19 data centres across five different continents in the Americas, Europe, Asia and Australia. In third place, Bigstep provides bare metal hosting solutions from data centres in the UK and Romania with additional facilities in North America and Europe for project delivery.
Nine of the top 10 hosting company sites used Linux in February, with the operating system continuing its dominance in the table. Swishmail used an unidentified OS.
In the February 2022 survey we received responses from 1,173,621,471 sites across 271,199,972 unique domains and 11,774,714 web-facing computers. This reflects a gain of 5.91 million sites, 1.36 million domains and 73,800 computers.
OpenResty experienced the strongest growth this month, both in overall sites and domains, with increases of 10.4 million sites and 546,000 domains. This represents a large 13.0% increase in its number of sites, but a more modest 1.4% increase in domains. Its market share in the domains metric now stands at 15.1%, an increase of 0.13 percentage points since January.
nginx closely followed OpenResty with a growth of 538,000 domains, helping it to maintain its leading 26.7% market share. nginx also saw strong growth in web-facing computers, which increased by 53,500. In contrast to its gains in these metrics, nginx lost 12.1 million sites this month (-3.2%), however it retains its position as the most commonly used web server with 31.1% of all sites using it.
Cloudflare continues to make strong gains amongst the million busiest websites, where it saw the only notable increases, with an additional 3,200 sites helping to bring its market share up to 19.4%. Apache, Microsoft and nginx all experienced losses in this metric; however, Apache and nginx still hold the top two positions with market shares of 23.3% and 22.1%.
- Apache Tomcat 9.0.59, 10.0.17 and 10.1.0-M11 (alpha) were released on 28 February 2022. Some of the notable changes are common between all three versions, including resolving a regression in a fix for a race condition, and improving the detection of the Linux duplicate accept bug.
- nginx 1.21.6 mainline was released on 25 January 2022. This version contains three bugfixes and no new features.
- Cloudflare has agreed to acquire Area 1 Security with the intention of integrating Area 1’s technology into its global network to protect customers from email-based security threats.
- Lighttpd 1.4.64 was released on 19 January 2022. This includes numerous changes, including a security fix for a buffer overflow vulnerability that would have been unlikely to affect most configurations.
|Developer||January 2022||Percent||February 2022||Percent||Change|
Posted in Web Server Survey
|3||Hyve Managed Hosting||Linux||0:00:00||0.000||0.149||0.084||0.167||0.167|
|10||New York Internet (NYI)||FreeBSD||0:00:00||0.017||0.592||0.082||0.164||0.164|
Aruba kicked off 2022 with the most reliable hosting company site in January, continuing to top the table from December 2021. The top six hosting company sites each responded to all of Netcraft’s requests in January and were separated by average connection time. Aruba provides hosting, cloud and digital signature services, fibre optic internet, digital preservation, and much more. The company has data centres across Europe in the UK, Germany, Czechia, Poland, Italy and France.
Rackspace and Hyve Managed Hosting came in second and third in January, which means the podium places are unchanged from December 2021. Rackspace provides a wide variety of cloud services from its global network of over 50 locations across five continents. Hyve offers cloud hosting, dedicated servers and managed services from data centres in 34 locations around the world.
Eight of the top 10 hosting company sites used Linux in January, continuing the dominance of Linux. FreeBSD made an appearance in eighth place with New York Internet and Swishmail used an unidentified OS.
Netcraft’s most recent Web Server Survey includes nearly 1.2 billion websites. Most of these sites return a server banner that shows which web server software they use, thus allowing us to determine the market shares of each server vendor since 1995.
Many of these server banners are simply short strings like “
Apache”, while others may include additional details that reveal which other software – and which versions – are installed on the server. One such example is “
Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.2k-fips DAV/2 PHP/5.5.38”.
A web server reveals its server banner via the Server HTTP response header. This string is not ordinarily exposed to users, but most browsers allow it to be viewed in the Network Inspector panel.
Web server software usually allows its server banner to be modified. A common reason for changing the default value is to reduce the amount of information that would be revealed to an attacker.
For example, if a web server advertises itself as running a vulnerable version of Apache, such as “
Apache/2.4.49” it could be more likely to come under attack than a server that reveals only “
Our Web Server Survey includes a few websites that return the following
Server header, which takes a deliberate swipe at the effectiveness of hiding this sort of information:
Server: REMOVED FOR PCI SCAN COMPLIANCE - SECURITY THROUGH OBSCURITY WORKS, RIGHT? - https://bit.ly/2nzfRrt
Of course, with this amount of flexibility, a cheeky or malicious administrator can configure a web server to pretend to be anything they want. Sometimes this is done in a deliberate attempt to cloak the truth or to mislead, while in others it may simply be done as a joke waiting to be found by anyone curious enough to look for the banner.
Unlikely server banners
Amongst the 1.2 billion websites, there are plenty of examples of unlikely server banners.
In the January 2022 survey we received responses from 1,167,715,133 sites across 269,835,071 unique domains and 11,700,892 web-facing computers. This reflects a loss of 1.15 million sites, but a gain of 1.51 million domains and 31,100 computers.
nginx lost 7.33 million sites this month (-1.91%) but continues to be the most commonly used web server with 32.3% of all sites using it. Although nginx’s share has fallen, Apache is still more than eight percentage points behind after losing 3.70 million sites (-1.31%), which has taken its own market share down to 23.9%.
nginx also leads in the domains metric, where it has a share of 26.6% compared with Apache’s 23.9%. This reflects a small reduction in nginx’s share – despite a modest gain of 25,400 domains – while Apache suffered the largest loss of 287,000 domains.
The largest site and domain growth was seen by Pepyaka, which is a web server that has primarily been used by the Wix web development platform since it switched from using nginx in 2018. The number of sites using Pepyaka grew by 4.02 million to 7.30 million this month, while its domain count went up by 1.80 million to 3.30 million.
The next largest domain growth was seen by OpenResty, which gained 686,000 domains this month, and 1.34 million sites in total. The second largest site growth was seen by Microsoft, which gained 2.46 million sites and now accounts for 4.86% of all sites and 5.00% of all domains.
Constraining the view to active sites, Apache is still the most commonly used web server, but its market share has fallen slightly to 23.4% after losing more than half a million active sites this month. Meanwhile, nginx gained 230,000 active sites and has increased its share to 20.2%.
Apache also maintains a slight lead in the top million websites, where it is used by 235,000 sites compared with 222,000 for nginx. However, Cloudflare has increased its presence by a further 4,959 sites and is now not too far behind with a total of 191,000. If this trend continues, Cloudflare could soon overtake both nginx and Apache to become the most commonly used top-million web server.
Looking at web-facing computers, nginx’s strong growth continues unabated. This month it is being used by an additional 32,700 web-facing computers and its market share has increased to 37.7%. Its lead over Apache was further extended by Apache’s loss of 29,100 computers, which sent Apache’s share down to 29.9%.
- Apache 2.4.52 was released on 20 December 2021. This is the latest release from the 2.4.x stable branch and includes two security fixes amongst a host of other changes.
- Apache Tomcat 9.0.56, 10.0.14 and 10.1.0-M8 (alpha) were released on 8 December 2021. Each of these versions include a fix for a known operating system bug that could cause incoming connections to be reported more than once.
- nginx 1.21.5 was released on 28 December 2021. This is the latest release in the mainline branch of nginx and is now built with the PCRE2 library by default.
- njs 0.7.1 was also released on 28 December 2021. This release includes several bugfixes and some other changes to ensure that njs scripts use the same regular expression library as nginx.
- Microsoft has mitigated an insecure default behaviour in the Azure App Service that inadvertently exposed hundreds of source code repositories. The team that found the vulnerability noted that it had existed since September 2017 and has probably been exploited in the wild. The problem could have impacted PHP, Node, Ruby, Python and Java applications that serve static content, as well as some Azure App Service Linux applications that were deployed using Local Git after files were created or modified in the content root.
- Cloudflare has introduced a new product called Bulk Redirects, which lets website administrators upload and enable large numbers of URL redirects. These were typically implemented with Page Rules before, which are limited to a maximum of 125 redirects.
- OpenResty 22.214.171.124 RC1 was released on 16 December 2021. This version is based on nginx 1.21.4 and adds several new features including support for BoringSSL.
|Developer||December 2021||Percent||January 2022||Percent||Change|
Posted in Web Server Survey
Netcraft has seen a large increase in survey scams impersonating well-known banks as a lure. These are often run under the guise of a prize in celebration of the bank’s anniversary, though in some cases a reward is promised just for participating.
These scams first came to Netcraft’s attention around 16 months ago, when businesses that were particularly useful during lockdown such as supermarkets, mobile phone networks, and delivery companies were targeted. The expansion of these attacks to use banks as a lure started in October 2021. To date we have seen over 75 distinct banks used as lures for these survey scams, with a global spread including banks from US, UK, Asia, and the Middle East.
Your link here? Advertising on the Netcraft Blog